I’m fairly new to NEOS but have 15+ years TYPO3 experience. I got the main parts going pretty fast in my first 2 projects with NEOS, although the learning curve is quite steep (eel, @context, flow queries, fusion, afx, @cache…). Now I am at the point where backend permissions are on the table and this is where I’m kind of stuck.
In the current project (NEOS 5), there is a site containing a part of relatively default content which is managed by privileged editors. Now, there are also editors who can be invited into the CMS by creating invitation emails with token based links (via backend module). When they accept the invitation, a default content page with some content elements is created as well as a backend account - so far, so good.
Of course, each user shall only see the default content mentioned earlier, as well as the pages which were created just for him. So first question: how can I create privilegeTargets (NodeTreePrivilege) dynamically?
Now, the invited users can link to the default content which is managed by the “admin” editors. Hence, they need to be able to see those contents, but must not be able to edit it. I added the ‘Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege’, which leads to an ugly red exception box containing HTML code when such a used edits content on those restricted nodes. My expectation from a usability point of view is not to have editable properties in the first place instead of an exception afterwards. So second question: Is this the intended behavior or am I doing this wrong?
The last question is more generic: In TYPO3 there is very fine grained control over backend permissions based on entity properties, the page tree, assets and so on IN THE GUI. In NEOS, as far as I have understood it, there is just the policy.yaml which has to be set up by the developer containing hard coded persistence identifiers (or node paths). In my eyes this does in no way meet the expectations I have when using a CMS as those node criteria have to be placed in code, then deployed. So 3rd question: Is there a backend module available for this purpose or am I misinterpreting some concept here?